Custom Account AuthTokens


#1

Short version: I want something like github’s oauth apps thing in glitch.

Extremely Long version:
I was wondering if there could be an authentication protocol for a glitch account such as generating managable access keys and similar. The way this could be used is forms of configurable auth tokens to use with the api to access a user’s account. Maybe something like oauth with configurable tokens? I’m thinking of a cool concept for a glitch app that uses glitch’s api to do some magic and some projects for users, but the only way I can think of it working is asking users for their personal token, which is pretty shady and dangerous seeming. Tokens with limits could make it seem safer, and even if the token asks for all permissions anyways, at least you can just delete it if it seems to be using you. I would be pretty happy if this could be implemented as a feature, as it would allow people to get some control over projects and settings via the api with authentication. Plus, if the user chooses permissions and not, this is basically totally authorized access.

My idea on how it would work would be similar to this:

Create an authenticator by going to some part of some settings or something, add a name, redirect uri, and some other things you guys may want. Then probably a little auth url generator tool would be made where you check checkboxes to chose parameters to ask for. Those urls would be used to do some auth for your glitch app.

Approve an authentication by looking through what it asks for, clicking a button, maybe double checking their account’s auth method (stuff like github/facebook login or other methods if added ever), and then the redirect uri is called containing a query parameter containing the token.

Check tokens by going into some settings and stuff, looking for some tab named auth tokens, allowing you to check each token’s permissions, and if you pass an auth method test, you can access the token values and delete tokens for a few hours.

Also one last thing, you should add a GET /tokens/:token method to the api with a /validate method that checks if it is still valid (replies with true/false) and a /permissions method that checks what permissions the token has (replies with a string that follows the same format as the oauth ask for permissions gateway thing does). This should require authentication that is the owner of the auth app.
This may take a while to implement, I get that, but it would still be really cool if I could have something like this to deal with. Thanks for reading my extremely long post, I do talk on and on sometimes, but I hope you liked this suggestion if you made it this far. I’m fine with tweaks to this, I just want something that resembles this pretty well (basically similar to github’s oauth apps thing)
Thanks for reading! (if you did, not gonna blame you if you skipped a bit)


#2

That sounds really good, and also like a whole lot of work :slight_smile: While we would like to do that eventually, it won’t make it to the top of the list in the near future - we have a lot of other things planned that will come first.